DAQ – packet acquisition library(ies?). Snort leverages this to pull packets off the wire (Snort doesn’t have its own built-in packet capture abilities). DAQ provides a form of abstraction between the Snort engine and the hardware where the bits are flowing. DAQ – Data AcQusition. DAQ modes: inline, passive or read from file.

Variables used in the 5-tuple default to “any”. So a rule like “alert tcp $EXTERNAL_NET any -> $SERVERS 80” will default to any -> any 80.

Host Attribute Table – XML file associated with a particular IP address; specifies OS and service-to-port associations of a host. This information can be used in a rule to only apply the rule to hosts running a web server, for example (“service http”). In open source Snort, the HAT has to be built manually. In Sourcefire/Cisco products, the HAT Is built automatically by passively looking at network traffic.